Virtual Chief Information Security Officer

Position: Virtual Chief Information Security Officer (vCISO)

C2C Hourly rate: $125/hr

Client: Howard Community College (HCC)

Location: 10901 Little Patuxent Parkway Columbia Maryland 21044 (100% remote)

Duration: Three years (part time up to 20 hours a week)

DK Consulting Overview: Founded in May 2003 DK Consulting LLC a woman-owned small business was formed to provide management and technology solutions based on industry best practices. DK Consulting LLC works with multiple State Federal and Commercial customers and our services range from providing customers with that one critical resource to assuming responsibility for an entire IT project. We offer excellent benefits and provide exceptional employee management.

The vCISO shall provide expert virtual cybersecurity services up to twenty (20) hours a week during normal business hours which may be exceeded in the event of a security incident or breach. HCC seeks a fresh perspective on its security measures and protocols to not only improve its posture but also to identify new risks and opportunities. The vCISO will also be responsible for leading HCCs efforts to address the nine (9) elements of the Gramm-Leach-Bliley Act (GLBA) for compliance purposes.

Duties and Responsibilities:

1. Perform a detailed cyber risk assessment that includes the following but not limited to:
   1. Analyze and iterate upon previous risk assessment conducted in 2024.
   2. Identify estimate and prioritize potential information cyber security risks at college.
   3. Examine HCCs current technology security controls policies and procedures to assess potential threats or attacks.
   4. Evaluate HCCs threat landscape vulnerabilities and cyber gaps that pose a risk to its assets.
2. Be prepared to act as HCCs Qualified Individual (QI) to present quarterly reports to HCC.
3. Board of Trustees and leadership as required and specified by GLBA.
4. Enhance HCCs information security program using a framework such as Center of Internet Security (CIS) Critical Security Controls or CIS Implementation Group 1 (IG1) that protects HCC in accordance with GLBA security requirements:
   1. Use industry standard benchmarks to track adherence to selected frameworks.
   2. If needed develop a step-by-step process for server hardening.
5. Perform third-party and partner evaluations Higher Education Community Vendor Assessment Toolkit (HECVAT). Review and update as needed third-party vendor management policy.
6. Provide information security leadership communication investigation mitigation containment and post-incident analysis in the event of a cyber incident.
7. Update and enhance existing cybersecurity policies and procedures as required by GLBA. The policies include but are not limited to:
   1. Incident Response Plan
   2. Information Security Plan
   3. Third-Party Vendor Management
   4. Vulnerability management
   5. Data management
   6. Software management
   7. Hardware asset management
8. Provide guidance when analyzing real-time threat analysis identified by HCCs security operations center.
9. Develop and implement the strategy to conduct regular security audits and assessments to identify vulnerabilities and ensure compliance with security policies.
10. Write a clear and concise incident response plan that meets industry standards.
11. Develop business continuity and disaster recovery plans and conduct annual tabletop exercises.
12. Review and provide guidance on existing Security Awareness & Training materials and activities.
13. Participate in meetings as needed. (i.e. weekly monthly quarterly ad hoc etc.). Under normal circumstances in-person meetings are not the event of an incident or breach an in-person meeting may be required. Additional in-person meetings will be scheduled as needed with advanced notice.

• Security Metrics & Reporting - Define and track Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs) for cybersecurity. Provide monthly dashboards or scorecards to leadership.
• Zero Trust Architecture (ZTA) Guidance - Assess HCCs readiness for Zero Trust. Develop a roadmap for implementing ZTA principles.
• Cloud Security Posture Management - Review and advise on the security configuration of cloud services (e.g. Microsoft 365 AWS Azure). Ensure alignment with CIS Benchmarks and shared responsibility models.
• Security Architecture Review - Review and advise on network segmentation identity and access management (IAM) and endpoint detection and response (EDR) strategies.
• Data Privacy & Protection - Support compliance with FERPA HIPAA and Maryland state privacy laws. Recommend data classification and data loss prevention (DLP) strategies.
• Cybersecurity Awareness Program Expansion - Develop or identify role-based training for faculty staff and students.
• Tabletop Exercises & Incident Simulations - Including ransomware and insider threat scenarios in exercises.
• Emerging Threat Intelligence - Provide quarterly threat briefings tailored to higher education. Integrate threat intelligence feeds into HCCs security operations.
• Security Budget & Resource Planning - Make recommendations for a multi-year cybersecurity budget. Perform gap analysis to recommend staffing or managed services.
• Cyber Insurance Readiness - Review current cyber insurance policies. Ensure controls meet insurer requirements and reduce premiums.

Minimum Qualifications:

• Must possess years of experience providing virtual or remote CISO-level services including ability to translate complex security concepts for executive and non-technical audiences. Includes leadership experience in advising executive teams or governing bodies on cybersecurity strategies.
• Must possess at least 7-10 years of experience in IT security-related roles such as security analyst network administrator or similar positions.
• Possession of industry-recognized certifications such as CISSP CISM or CISA
  • Certified Information Systems Security Professional (CISSP)
  • Certified Information Security Manager (CISM)
  • Certified Information Systems Auditor (CISA)
• Demonstrates strong knowledge of regulatory requirements (e.g. FERPA GLBA HIPAA PCI-DSS) and sound risk management practices tailored for higher education institutions.
• Knowledge of Security Frameworks Demonstrates understanding and application of recognized cybersecurity frameworks including NIST 800-53 CIS Critical Security Controls and CIS Implementation Group 1 (IG1).
• Cybersecurity Technologies Demonstrates familiarity with current security technologies including those commonly deployed in higher education settings (e.g. firewalls endpoint protection SIEM IAM).
• Threat Intelligence and Incident Response Demonstrates experience in proactive threat detection vulnerability assessments risk mitigation and effective incident response practices.

Educational Requirement: Possession of a bachelors degree or higher in cybersecurity information technology computer science or a related field from an accredited U.S. institution. A masters degree is preferred.

*No Visa Restrictions*